libyaml heap overflow resulting in possible code execution

libyaml was prone to a heap overflow that could result in arbitrary code execution. Pkg uses libyaml to parse the package manifests in some cases. Pkg also used libyaml to parse the remote repository until 1.2. RedHat Product Security Team reports on libyaml: A heap-based buffer overflow flaw was...

ruby -- Heap Overflow in Floating Point Parsing

Ruby developers report: Any time a string is converted to a floating point value, a specially crafted string can cause a heap overflow. This can lead to a denial of service attack via segmentation faults and possibly arbitrary code execution. Any program that converts input of unknown origin to...

monitorix -- serious bug in the built-in HTTP server

Monitorix Project reports: A serious bug in the built-in HTTP server. It was discovered that the handlerequest routine did not properly perform input sanitization which led into a number of security vulnerabilities. An unauthenticated, remote attacker could exploit this flaw to execute arbitrary...

drupal -- multiple vulnerabilities

Drupal Security Team reports: Multiple vulnerabilities were fixed in the supported Drupal core versions 6 and 7. Multiple vulnerabilities due to optimistic cross-site request forgery protection Form API validation - Drupal 6 and 7 Multiple vulnerabilities due to weakness in pseudorandom number...

nginx -- Request line parsing vulnerability

The nginx project reports: Ivan Fratric of the Google Security Team discovered a bug in nginx, which might allow an attacker to bypass security restrictions in certain configurations by using a specially crafted request, or might have potential other impact CVE-2013-4547...

subversion -- multiple vulnerabilities

Subversion Project reports: moddontdothat does not restrict requests from serf based clients moddontdothat allows you to block update REPORT requests against certain paths in the repository. It expects the paths in the REPORT request to be absolute URLs. Serf based clients send relative URLs...

chromium -- multiple memory corruption issues

Google Chrome Releases reports: 319117 319125 Critical CVE-2013-6632: Multiple memory corruption issues. Credit to Pinkie Pie...

linux-flashplugin -- multiple vulnerabilities

Adobe reports: These updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system...

chromium -- multiple vulnerabilities

Google Chrome Releases reports: 25 security fixes in this release, including: 268565 Medium CVE-2013-6621: Use after free related to speech input elements. Credit to Khalil Zhani. 272786 High CVE-2013-6622: Use after free related to media elements. Credit to cloudfuzzer. 282925 High CVE-2013-6623...

OpenSSH -- Memory corruption in sshd

The OpenSSH development team reports: A memory corruption vulnerability exists in the post- authentication sshd process when an AES-GCM cipher [email protected] or [email protected] is selected during kex exchange. If exploited, this vulnerability might permit code execution with the...

strongswan -- multiple DoS vulnerabilities

strongSwan Project reports: A DoS vulnerability triggered by crafted IKEv1 fragmentation payloads was discovered in strongSwan's IKE daemon charon. All versions since 5.0.2 are affected. A DoS vulnerability and potential authorization bypass triggered by a crafted IDDERASN1DN ID payload was...

Joomla! -- Core XSS Vulnerabilities

The JSST and the Joomla! Security Center report: 20131101 Core XSS Vulnerability Inadequate filtering leads to XSS vulnerability in comcontact. 20131102 Core XSS Vulnerability Inadequate filtering leads to XSS vulnerability in comcontact, comweblinks, comnewsfeeds. 20131103 Core XSS Vulnerability...

varnish -- DoS vulnerability in Varnish HTTP cache

Varnish Cache Project reports: If Varnish receives a certain illegal request, and the subroutine 'vclerror' restarts the request, the varnishd worker process will crash with an assert. The varnishd management process will restart the worker process, but there will be a brief interruption of servi...

mozilla -- multiple vulnerabilities

The Mozilla Project reports: MFSA 2013-93 Miscellaneous memory safety hazards rv:25.0 / rv:24.1 / rv:17.0.10 MFSA 2013-94 Spoofing addressbar though SELECT element MFSA 2013-95 Access violation with XSLT and uninitialized data MFSA 2013-96 Improperly initialized memory and overflows in some...

gnutls -- denial of service

Salvatore Bonaccorso reports: This vulnerability affects the DANE library of gnutls 3.1.x and gnutls 3.2.x. A server that returns more 4 DANE entries could corrupt the memory of a requesting client...

node.js -- DoS Vulnerability

node.js developers report This release contains a security fix for the http server implementation, please upgrade as soon as possible...

pycrypto -- PRNG reseed race condition

Dwayne Litzenberger reports: In PyCrypto before v2.6.1, the Crypto.Random pseudo-random number generator PRNG exhibits a race condition that may cause it to generate the same 'random' output in multiple processes that are forked from each other. Depending on the application, this could reveal...

bugzilla -- multiple vulnerabilities

A Bugzilla Security Advisory reports: Cross-Site Request Forgery When a user submits changes to a bug right after another user did, a midair collision page is displayed to inform the user about changes recently made. This page contains a token which can be used to validate the changes if the user...

chromium -- multiple vulnerabilities

Google Chrome Releases reports: 5 security fixes in this release, including: 292422 High CVE-2013-2925: Use after free in XHR. Credit to Atte Kettunen of OUSPG. 294456 High CVE-2013-2926: Use after free in editing. Credit to cloudfuzzer. 297478 High CVE-2013-2927: Use after free in forms. Credit ...

xorg-server -- use-after-free

Alan Coopersmith reports: Pedro Ribeiro pedrib at gmail.com reported an issue to the X.Org security team in which an authenticated X client can cause an X server to use memory after it was freed, potentially leading to crash and/or memory corruption...

Quassel IRC -- SQL injection vulnerability

Quassel IRC developers report: SQL injection vulnerability in Quassel IRC before 0.9.1, when Qt 4.8.5 or later and PostgreSQL 8.2 or later are used, allows remote attackers to execute arbitrary SQL commands via a \ backslash in a message...

gnupg -- possible infinite recursion in the compressed packet parser

Werner Koch reports: Special crafted input data may be used to cause a denial of service against GPG GnuPG's OpenPGP part and some other OpenPGP implementations. All systems using GPG to process incoming data are affected...

mod_pagespeed -- critical cross-site scripting (XSS) vulnerability

modpagespeed developers report: Various versions of modpagespeed are subject to critical cross-site scripting XSS vulnerability, CVE-2013-6111. This permits a hostile third party to execute JavaScript in users' browsers in context of the domain running modpagespeed, which could permit theft of...

polarssl -- Timing attack against protected RSA-CRT implementation

PolarSSL Project reports: The researchers Cyril Arnaud and Pierre-Alain Fouque investigated the PolarSSL RSA implementation and discovered a bias in the implementation of the Montgomery multiplication that we used. For which they then show that it can be used to mount an attack on the RSA key...

chromium -- multiple vulnerabilities

Google Chrome Releases reports: 50 security fixes in this release, including: 223962270758271161284785284786 Medium CVE-2013-2906: Races in Web Audio. Credit to Atte Kettunen of OUSPG. 260667 Medium CVE-2013-2907: Out of bounds read in Window.prototype object. Credit to Boris Zbarsky. 265221 Medi...

mod_fcgid -- possible heap buffer overwrite

Apache Project reports: Fix possible heap buffer overwrite...

ruby-gems -- Algorithmic Complexity Vulnerability

Ruby Gem developers report: The patch for CVE-2013-4363 was insufficiently verified so the combined regular expression for verifying gem version remains vulnerable following CVE-2013-4363. RubyGems validates versions with a regular expression that is vulnerable to denial of service due to...

py-suds -- vulnerable to symlink attacks

SUSE reports: cache.py in Suds 0.4, when tempdir is set to None, allows local users to redirect SOAP queries and possibly have other unspecified impact via a symlink attack on a cache file with a predictable name in /tmp/suds/...

django -- denial-of-service via large passwords

The Django project reports: These releases address a denial-of-service attack against Django's authentication framework. All users of Django are encouraged to upgrade immediately...

wordpress -- multiple vulnerabilities

The wordpress development team reports: Block unsafe PHP unserialization that could occur in limited situations and setups, which can lead to remote code execution. Prevent a user with an Author role, using a specially crafted request, from being able to create a post "written by" another user. F...

linux-flashplugin -- multiple vulnerabilities

Adobe reports: These updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system...

FreeBSD -- Insufficient credential checks in network ioctl(2)

Problem Description: As is commonly the case, the IPv6 and ATM network layer ioctl request handlers are written in such a way that an unrecognized request is passed on unmodified to the link layer, which will either handle it or return an error code. Network interface drivers, however, assume tha...

django -- multiple vulnerabilities

The Django project reports: These releases address a directory-traversal vulnerability in one of Django's built-in template tags. While this issue requires some fairly specific factors to be exploitable, we encourage all users of Django to upgrade promptly...

FreeBSD -- Cross-mount links between nullfs(5) mounts

Problem Description: The nullfs5 implementation of the VOPLINK9 VFS operation does not check whether the source and target of the link are both in the same nullfs instance. It is therefore possible to create a hardlink from a location in one nullfs instance to a file in another, as long as the...

ruby-gems -- Algorithmic Complexity Vulnerability

Ruby Gem developers report: RubyGems validates versions with a regular expression that is vulnerable to denial of service due to backtracking. For specially crafted RubyGems versions attackers can cause denial of service through CPU consumption...

svnserve is vulnerable to a local privilege escalation vulnerability via symlink attack.

Subversion Project reports: svnserve takes a --pid-file option which creates a file containing the process id it is running as. It does not take steps to ensure that the file it has been directed at is not a symlink. If the pid file is in a directory writeable by unprivileged users, the destinati...

asterisk -- multiple vulnerabilities

The Asterisk project reports: Remote Crash From Late Arriving SIP ACK With SDP Remote Crash when Invalid SDP is sent in SIP Request...

FreeBSD -- Kernel memory disclosure in sctp(4)

Problem Description: When initializing the SCTP state cookie being sent in INIT-ACK chunks, a buffer allocated from the kernel stack is not completely initialized. Impact: Fragments of kernel memory may be included in SCTP packets and transmitted over the network. For each SCTP session, there are...

FreeBSD -- integer overflow in IP_MSFILTER

Problem Description: An integer overflow in computing the size of a temporary buffer can result in a buffer which is too small for the requested operation. Impact: An unprivileged process can read or write pages of memory which belong to the kernel. These may lead to exposure of sensitive...

py-graphite-web -- Multiple vulnerabilities

Graphite developers report: This release contains several security fixes for cross-site scripting XSS as well as a fix for a remote-execution exploit in graphite-web CVE-2013-5903...

ansible -- local symlink exploits

MITRE reports: runner/connectionplugins/ssh.py in Ansible before 1.2.3, when using ControlPersist, allows local users to redirect a ssh session via a symlink attack on a socket file with a predictable name in /tmp/. lib/ansible/playbook/init.py in Ansible 1.2.x before 1.2.3, when playbook does no...

gstreamer-ffmpeg -- Multiple vulnerabilities in bundled libav

Bundled version of libav in gstreamer-ffmpeg contains a number of vulnerabilities...

chromium -- multiple vulnerabilities

Google Chrome Releases reports: 25 security fixes in this release, including: 181617 High CVE-2013-2900: Incomplete path sanitization in file handling. Credit to Krystian Bigaj. 254159 Low CVE-2013-2905: Information leak via overly broad permissions on shared memory files. Credit to Christian...

mozilla -- multiple vulnerabilities

The Mozilla Project reports: MFSA 2013-76 Miscellaneous memory safety hazards rv:24.0 / rv:17.0.9 MFSA 2013-77 Improper state in HTML5 Tree Builder with templates MFSA 2013-78 Integer overflow in ANGLE library MFSA 2013-79 Use-after-free in Animation Manager during stylesheet cloning MFSA 2013-80...

nas -- multiple vulnerabilities

Hamid Zamani reports: multiple security problems buffer overflows, format string vulnerabilities and missing input sanitising, which could lead to the execution of arbitrary code...

cacti -- allow remote attackers to execute arbitrary SQL commands

Cacti release reports: Multiple security vulnerabilities have been fixed: SQL injection vulnerabilities...

mozilla -- multiple vulnerabilities

The Mozilla Project reports: MFSA 2013-63 Miscellaneous memory safety hazards rv:23.0 / rv:17.0.8 MFSA 2013-64 Use after free mutating DOM during SetBody MFSA 2013-65 Buffer underflow when generating CRMF requests MFSA 2013-66 Buffer overflow in Mozilla Maintenance Service and Mozilla Updater MFS...

samba -- denial of service vulnerability

The Samba project reports: All current released versions of Samba are vulnerable to a denial of service on an authenticated or guest connection. A malformed packet can cause the smbd server to loop the CPU performing memory allocations and preventing any further service. A connection to a file...

phpMyAdmin -- clickJacking protection can be bypassed

The phpMyAdmin development team reports: phpMyAdmin has a number of mechanisms to avoid a clickjacking attack, however these mechanisms either work only in modern browser versions, or can be bypassed. "We have no solution for 3.5.x, due to the proposed solution requiring JavaScript. We don't want...

chromium -- multiple vulnerabilities

Google Chrome Releases reports: Eleven vulnerabilities, including: 257748 Medium CVE-2013-2881: Origin bypass in frame handling. Credit to Karthik Bhargavan. 260106 High CVE-2013-2882: Type confusion in V8. Credit to Cloudfuzzer. 260165 High CVE-2013-2883: Use-after-free in MutationObserver. Cred...